[英]Calling Azure Function from ADF using MSI
I am trying to call a Function app from ADF using MSI.我正在尝试使用 MSI 从 ADF 调用 Function 应用程序。 I have enabled managed identity for ADF as well as have enabled AAD authentication/authorization for Function app.我为 ADF 启用了托管身份,并为 Function 应用程序启用了 AAD 身份验证/授权。
Now when I make a web call from ADF (with the underlying specification)现在,当我从 ADF 进行 web 调用时(使用基础规范)
I get the following error.我收到以下错误。
I even added ADF as contributor to Function App.我什至将 ADF 添加为 Function 应用程序的贡献者。 I must be missing something, but not sure what exactly我一定错过了什么,但不确定到底是什么
First of all, please make sure you selected the Create New AD App
option when you configure the function app with Azure AD auth, then azure will do all the configurations for you automatically, this will reduce unnecessary trouble.首先,请确保您在使用 Azure AD auth 配置 function 应用程序时选择了Create New AD App
选项,然后 azure 将自动为您减少所有不必要的麻烦。 Also remember to set Authorization level
of your function to Anonymous
, because we configured the function app with Azure AD auth.还要记住将 function 的Authorization level
设置为Anonymous
,因为我们使用 Azure AD auth 配置了 function 应用程序。
In your case, the error was caused by the wrong Resource
, it should be the Application ID URI
of the AD App corresponded to the function app, ie https://<functionapp-name>.azurewebsites.net
(this is configured by azure automatically when you select Create New AD App
as mentioned above). In your case, the error was caused by the wrong Resource
, it should be the Application ID URI
of the AD App corresponded to the function app, ie https://<functionapp-name>.azurewebsites.net
(this is configured by azure当您 select 如上所述Create New AD App
时自动)。
Besides , you should note, if you just do the steps above, all the service principals(MSI is essentially a service principal)/users in your AAD tenant can access the function app, if you just want your MSI to access the function app, then you need to leverage the Azure AD App role , I have posted the details here , if you don't mind this, just ignore the step 2 and step 3, it will also work.此外,您应该注意,如果您只是执行上述步骤,您的 AAD 租户中的所有服务主体(MSI 本质上是服务主体)/用户都可以访问 function 应用程序,如果您只想让您的 MSI 访问 function 应用程序,那么您需要利用Azure AD App 角色,我已经在此处发布了详细信息,如果您不介意,请忽略第 2 步和第 3 步,它也可以工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.